CVE-2025-58430
📋 TL;DR
listmonk versions up to 1.1.0 include a nonce parameter in HTTP requests that isn't validated by the backend, allowing requests to be processed without it. This can be chained with other vulnerabilities like CSRF and XSS to create improper admin accounts. All self-hosted listmonk instances running vulnerable versions are affected.
💻 Affected Systems
- listmonk
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers chain this with CSRF and XSS to create unauthorized admin accounts, gaining full control over the newsletter/mailing list system and potentially accessing sensitive subscriber data.
Likely Case
Attackers exploit this as part of a multi-step attack to gain administrative privileges, allowing them to manipulate mailing lists, send unauthorized emails, or access subscriber information.
If Mitigated
With proper web application firewalls and input validation, the risk is reduced to minor session management issues with limited impact.
🎯 Exploit Status
Exploitation requires chaining with other vulnerabilities (CSRF/XSS) and some authentication context. No public exploit code is available at time of advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub advisory for latest patched version
Vendor Advisory: https://github.com/knadh/listmonk/security/advisories/GHSA-rf24-wg77-gq7w
Restart Required: No
Instructions:
1. Check the GitHub security advisory for the latest patched version. 2. Update listmonk to the patched version. 3. Verify the fix by testing that nonce validation is properly implemented.
🔧 Temporary Workarounds
Implement CSRF Protection
allAdd proper CSRF tokens to all state-changing requests and validate them server-side.
Enable WAF Rules
allConfigure web application firewall to detect and block requests missing required parameters or showing suspicious patterns.
🧯 If You Can't Patch
- Isolate listmonk instance behind authentication proxy with strict access controls
- Implement network segmentation to limit which systems can communicate with listmonk
🔍 How to Verify
Check if Vulnerable:
Check if listmonk version is 1.1.0 or earlier. Test by making HTTP requests without the nonce parameter and see if they're processed normally.Check Version:
Check listmonk version in admin interface or via application logsVerify Fix Applied:
After updating, verify that requests without proper nonce validation are rejected by the backend.📡 Detection & Monitoring
Log Indicators:
- HTTP requests missing nonce parameter but still being processed successfully
- Multiple failed authentication attempts followed by successful admin account creation
Network Indicators:
- Unusual patterns of requests to admin endpoints without proper session validation
- Requests from unexpected sources to account creation endpoints
SIEM Query:
source="listmonk" AND (uri_path="/admin/*" OR uri_path="/api/*") AND (missing_field="nonce" OR status=200 AND missing_field="nonce")